Risk Quantification Demo

risk quantification
Author

John Benninghoff

Published

August 15, 2024

Modified

August 15, 2024

Risk Quantification demonstration for my SIRAcon 2024 talk, “UnFAIR: Simplifying and Expanding Technology Risk Quantification.”

Questions/TODO

Import

Import and validate data from Excel. The data in demo.xlsx is based on the examples developed here.

Environment Statement

(Describe the background and history of the system being analyzed, summary of existing state, and extended description of the risks)

Risk descriptions:

risk description
Cybersecurity Breach Risk of a cybersecurity breach of the inventory system.
Technology Outage Risk of an inventory system outage.
Loss of Customer Risk of losing and existing customer or failure to acquire a new customer due to functional limitations of the inventory system.

Forecast

Forecast risk using Monte Carlo simulation. The average events and losses for each risk are summarized below:

risk avg_events avg_losses
Cybersecurity Breach 0.25710 $14,625,052
Loss of Customer 2.00429 $10,332,282
Technology Outage 2.00110 $98,087

Losses

Losses by risk separately and in aggregate:

Loss Exceedance Curves

Plot loss exceedance curves for all risks and combined risk.

By Risk

Plot loss exceedance curves for each risk:

Interactive plot:

Combined Risk

Plot loss exceedance curves for combined risk:

Interactive plot:

Appendix

Additional details on the risk quantification analysis.

Validation

Data validation results for Risks tab:

Data validation results for Estimates tab:

Estimates

All risk estimates:

risk expert lambda p05 p95 p50
Cybersecurity Breach Technology Expert 1 0.25 NA NA NA
Cybersecurity Breach Technology Expert 2 0.33 NA NA NA
Cybersecurity Breach Technology Expert 3 0.20 NA NA NA
Cybersecurity Breach Business Expert 1 NA $2,000 $45,000,000 $300,000
Cybersecurity Breach Business Expert 2 NA $1,400 $34,000,000 $200,000
Cybersecurity Breach Business Expert 3 NA $2,100 $54,000,000 $500,000
Cybersecurity Breach Unicorn Expert 0.25 $1,900 $44,000,000 $275,000
Technology Outage Technology Expert 1 2.00 NA NA NA
Technology Outage Technology Expert 2 3.00 NA NA NA
Technology Outage Technology Expert 3 1.00 NA NA NA
Technology Outage Business Expert 1 NA $700 $200,000 $15,000
Technology Outage Business Expert 2 NA $500 $150,000 $10,000
Technology Outage Business Expert 3 NA $675 $180,000 $11,000
Technology Outage Unicorn Expert 2.00 $800 $220,000 $16,000
Loss of Customer Technology Expert 1 NA NA NA NA
Loss of Customer Technology Expert 2 NA NA NA NA
Loss of Customer Technology Expert 3 NA NA NA NA
Loss of Customer Business Expert 1 2.00 $100,000 $20,000,000 $1,500,000
Loss of Customer Business Expert 2 3.00 $150,000 $30,000,000 $2,000,000
Loss of Customer Business Expert 3 1.00 $75,000 $15,000,000 $1,200,000
Loss of Customer Unicorn Expert 2.00 $75,000 $15,000,000 $1,000,000

Consensus Estimate

Using a simple average of all experts that provided an estimate (not blank/NA), this gives us a consensus estimate for the three risks of:

risk lambda p05 p95 p50
Cybersecurity Breach 0.2575 $1,850 $44,250,000 $318,750
Loss of Customer 2.0000 $100,000 $20,000,000 $1,425,000
Technology Outage 2.0000 $669 $187,500 $13,000

The consensus estimates for p05 and p95 result in the following parameters for log-normal loss magnitude. The p50 estimate is used to calculate the percentage difference from the actual median (mdiff), a measure of estimate accuracy:

risk lambda p05 p95 p50 meanlog sdlog mdiff
Cybersecurity Breach 0.2575 $1,850 $44,250,000 $318,750 12.564153 3.064840 11.41%
Loss of Customer 2.0000 $100,000 $20,000,000 $1,425,000 14.162084 1.610574 0.76%
Technology Outage 2.0000 $669 $187,500 $13,000 9.323472 1.713260 16.09%

Forecast Summary

A summary() of the forecast results.

      year            risk               events           losses         
 Min.   :     1   Length:300000      Min.   : 0.000   Min.   :0.000e+00  
 1st Qu.: 25001   Class :character   1st Qu.: 0.000   1st Qu.:0.000e+00  
 Median : 50000   Mode  :character   Median : 1.000   Median :3.539e+04  
 Mean   : 50000                      Mean   : 1.421   Mean   :8.352e+06  
 3rd Qu.: 75000                      3rd Qu.: 2.000   3rd Qu.:1.439e+06  
 Max.   :100000                      Max.   :10.000   Max.   :4.306e+11